We Claim: 

1 . A method of detecting a rogue access point comprising the steps of: 
directing a packet from a supplicant to a network through an access point; 
receiving a network response packet by the supphcant from the access point; 
determining whether the access point is one of a valid network access point is one 

of a valid network access point and a rogue access point based on whether the network response 
packet received from the access point is respectively in one of conformity and nonconformity 
with predetermined expectations. 

2. The method of claim 1 wherein, if the access point is determined to be a vahd 
network access point, further comprising the step of authenticating the supplicant to the network, 

3. The method of claim 1 wherein, if the access point is determined to be a rogue 
access point, further comprising the step of reporting the rogue access point to the network. 

4. The method of claim 3 wherein the step of reporting comprises contacting the 
network by the client through a valid network access point. 

5. The method of claim 1 wherein the predetermined expectations comprise data 
traffic conforming with IEEE 802. IX standards. 
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5 6, The method of claim 1 wherein the predetermined expectations comprise a mutual 

authentication to the network, wherein non-conformity is determined by a failure of the mutual 
authentication. 

7. The method of claim 6 wherein the mutual authentication comprises: 
10 issuing a challenge from the server to the client; 

issuing a counter-challenge from the client to the server; 

wherein mutual authentication fails at the counter-challenge since the access 
f loint's usemame and password are not found in the server's database. 

0 8. The method of claim 6 wherein the mutual authentication comprises: 

directing a message containing identity credentials from the supplicant, through 
the access point, to an authentication server; 
■r^ validating the identity credentials of the supplicant using the authentication 

^3 server; 

|30 forwarding a send key from the authentication server to the supplicant through the 

access point; 

independently deriving a session key from the send key and the identity 
credentials by the supplicant and the authentication server; 

encrypting data packets between the supplicant and the authentication server using 
25 the derived session key. 
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9. 



The method of claim 8 wherein the credentials are a usemame/password 



combination. 



1 0. The method of claim 8 further comprising: 

prior to the step of directing, sending a start message from the supplicant to the 

10 access point; 

sending an identity request message from the access point to the supplicant; and 
wherein the step of directing a message comprises sending an identity response 
message containing the identity credentials form the supplicant to the access point in response to 
Ihe identity request message, and forwarding the identity response message from the access point 
W6 to the authentication server. 



11. The method of claim 10 jvherein the authentication server is a RADIUS server 
y and wherein the identity response message is in the form of a RADIUS access request, wherein 
y the method further comprises the steps of: 



authentication server to the supplicant; and responding from the supplicant to the RADIUS 
challenge according to the RADIUS protocol. 

12. The method of claim 1 1 wherein the steps of validating and forwarding comprise 
25 sending the supplicant a RADIUS accept message and wherein the send key comprises an 
MS-MPPE-Send-key, 
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responding to the RADIUS access request with a RADIUS challenge from the 
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5 13. The method of claim 8 wherein the step of forwarding a send key comprises 

supplying key length and key index to specify encryption parameters for the session key. 



14. The method of claim 10 wherein the encryption parameters are based on one of a 
4()/64-bit and a 104/128-bit key. 

10 

15. The method of claim 8 further comprising the initial step of configuring the 
supplicant in a device mode where the identity credentials are stored on a network card for 
non-interactive authentication by a user. 

if 16. The method of claim 8 further comprising the initial step of configuring the 

i supplicant in a network logon mode where the identity credentials are integrated into a network 

i; 'i Ji 

m logon to enable a single sign-on for network authentication and PC network logon. 

Q 

W 17. The method of claim 8 further comprising the initial step of estabUshing 

^ authenticator support comprising: 

configuring the access point to use one of 40/64-bit and 104/128-bit WEP mode; 

and 

providing the access point with the authentication server address and encryption 
s cheme to be used for communication. 

25 

18. The method of claim 8 fiarther comprising the initial step of estabUshing the 
authentication server comprising: 
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5 setting up a user database selected from at least one of a local database and a 

n(jtwork database; and 

setting up the access point as a network access server. 



19. The method of claim 8 wherein the supplicant, access point and authentication 

10 sijrver are part of a wireless local area network. 

20. The method of claim 8 wherein the supplicant, access point and authentication 
server are part of a hard- wired local area network. 

11 2 1 . An arrangement for detecting a rogue access point comprising: 

means for directing a packet from a supplicant to a network through an access 

fll point; 

0 means for receiving a network response packet by the supplicant from the access 

W point; 

fi means for determining whether the access point is one of a valid network access 

point is one of a valid network access point and a rogue access point based on whether the 
network response packet received from the access point is respectively in one of conformity and 
nonconformity with predetermined expectations. 

25 22. The arrangement of claim 21 further comprising means for authenticating the 

supplicant to the network, if the access point is determined to be a valid network access point. 
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23. The arrangement of claim 21 further comprising means for reporting the rogue 
access point to the network, if the access point is determined to be a rogue access point. 

24. The arrangement of claim 3 wherein the means for reporting comprises means for 
contacting the network by the client through a valid network access point. 

25. The arrangement of claim 21 wherein the predetermined expectations comprise 
dita traffic conforming with IEEE 802. IX standards. 

26. The arrangement of claim 1 wherein the predetermined expectations comprise a 
mutual authentication to the network, wherein non-conformity is determined by a failure of the 
mutual authentication. 

27. The arrangement of claim 21 wherein the means for mutual authentication 
comprises: 

means for directing a message containing identity credentials from the supplicant, 
tlirough the access point, to an authentication server; 

means for vahdating the identity credentials of the supplicant using the 
authentication server; 

means for forwarding a send key from the authentication server to the supplicant 

through the access point; 

means for independently deriving a session key from the send key and the identity 

CTedentials by the supplicant and the authentication server; 
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means for encrypting data packets between the supplicant and the authentication 
s(jrver using the derived session key. 

28. The arrangement of claim 27 wherein the credentials are a usemame/password 
combination. 

29. The arrangement of claim 27 :^her comprising: 

prior to the means for directing, providing means for sending a start message from 
tiie supplicant to the access point; 

means for sending an identity request message from the access point to the 
supplicant; and 

wherein the means for directing a message comprises means for sending an 
identity response message containing the identity credentials form the supplicant to the access 
point in response to the identity request message, and means for forwarding the identity response 
message from the access point to the authentication server. 

30. The arrangement of claim 29 wherein the authentication server is a RADIUS 
sierver and wherein the identity response message is in the form of a RADIUS access request, 
wherein the arrangement further comprises: 

means for responding to the RADIUS access request with a RADIUS challenge 
from the authentication server to the supplicant; and means for responding from the supplicant to 
the RADIUS challenge according to the RADIUS protocol. 
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5 31. The arrangement of claim 29 wherein the means for vahdating and forwarding 

comprise means for sending the suppHcant a RADIUS accept message and wherein the send key 
comprises an MS-MPPE-Send-key. 

32. The arrangement of claim 27 wherein the means for forwarding a send key 
10 comprises means for supplying key length and key index to specify encryption parameters for the 

sesssion key. 

33. The arrangement of claim 32 wherein the encryption parameters are based on one 
O of a 40/64-bit and a 104/128-bit key. 

If 

:=T 34. The arrangement of claim 27 wherein the suppHcant, access point and 

m authentication server are part of a wireless local area network. 

ry 35. The arrangement of claim 27 wherein the supplicant, access point and 

fi authentication server are part of a hard-wired local area network. 
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